3

I'm using Forms Authentication and I want to restrict certain pages to certain roles. Right now everyone has access to the entire application once logged in.

But I'd like to restrict certain pages to certain roles. For example, the "view logs" page.

I'm thinking that my web.config file should look like this:

<location path="logs/view/">
<system.web>
  <authorization>
    <allow roles="super, admin"/>
  </authorization>
</system.web>

But my issue is that, the way the underlying application is built, when user logs in successfully via an api call I am returned a "User" onbject and that user's role is part of that object (User.Role == "admin"). I don't really have a reference database table that tells the APP what role a user has.

How can I associate the 

<allow roles="super, admin"/>

bit in my webconfig to the role property of the User object?

J. Steen
  • 15,470
  • 15
  • 56
  • 63
PercivalMcGullicuddy
  • 5,263
  • 9
  • 46
  • 65

2 Answers2

1

You can wire up to AuthenticateRequest event of the HttpApplication instance in your global.asax. In that context, you need to configure the IPrincipal implementation to have the desired settings. The easiest way to do this will be by instantiating a RolePrincipal and setting the User property of the HttpContext.

Update I just looked up some sample implementations that I've posted on previous answers. There is one that is based on ASP.NET MVC and another based on Web Forms.

Community
  • 1
  • 1
smartcaveman
  • 41,281
  • 29
  • 127
  • 212
0

use Location based settings.

<configuration>
   <location path="Logon.aspx">
      <system.web>
         <authorization>
            <allow users="?"/>
         </authorization>
      </system.web>
   </location>
</configuration>

for more information you can take a walkthru on MSDN

JSJ
  • 5,653
  • 3
  • 25
  • 32